On Tue, Jun 21, 2011 at 6:24 PM, Reindl Harald <h.rei...@thelounge.net>wrote:
> > > Am 21.06.2011 18:22, schrieb Ferenc Kovacs: > > On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald <h.rei...@thelounge.net > >wrote: > > > >> > >> > >> Am 21.06.2011 17:55, schrieb Tomas Kuliavas: > >> > >>> They submit it in utf-8 only if your html form allows them to do that > or > >>> they don't follow html specification and try to exploit your form. Set > >>> form input charset to iso-8859-1 and your nbspace will take only one > >> byte. > >> > >> and this naive attitude is the root of most security problems! > >> > >> why do you believe that every client submission is coming over > >> your form or generally over anything you can control? > >> > >> > > that doesn't matter here, Tomas just corrected John, that his statement > that > > chrome will always use utf-8 encoding for some special character isn't > true. > > browsers will adhere the > > http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset > > of course you can't trust user input, and you have to validate it, but > this > > has nothing to do with this topic > > it has > > how du you validate input if the string-functions having undefined results > which you probably use for your validation? > > what do you mean by undefined? if you use iso-8859-1 in your whole app and database, it doesn't matter from the security POV if somebody sends you crafted utf-8 data. if you mix up your encodings or you don't escape with the proper encoding, then that can get hit you ( http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string ) the multiby support in the php core isn't undefined, just unsupported. :/ use intl or mbstring for handling multibyte encodings. Tyrael